Prototype Pollution Vulnerability in Merge-Options Module by Node.js
CVE-2018-3752

9.8CRITICAL

Key Information:

Vendor: Merge-options Project
Status: Merge-options
Vendor: CVE Published:; 3 July 2018

🔔 Create Merge-options Project Vulnerability Alert

What is CVE-2018-3752?

The merge-options node module has a vulnerability that allows attackers to manipulate the prototype of JavaScript objects. By controlling parts of the input structure to the utilities function, an attacker can add or modify properties that affect all objects in the application. This can lead to unauthorized changes and impact the integrity of the system.

References

https://hackerone.com/reports/311336

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 3, 2018
Vulnerability Reserved
Dec 28, 2017

CVE-2018-3752 Data

JSON